PHP :: Bug #61996 :: Segfault in php-fpm, no memcached running, sessions in memcached

Bug #61996	Segfault in php-fpm, no memcached running, sessions in memcached
Submitted:	2012-05-10 14:44 UTC	Modified:	2012-05-14 07:27 UTC
From:	radical@php.net	Assigned:	radical (profile)
Status:	Closed	Package:	memcached (PECL)
PHP Version:	5.4.3	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	radical@php.net
New email:
PHP Version:		OS:

New Comment:

[2012-05-10 14:44 UTC] radical@php.net

Description:
------------
[root@caffeine nginx]# php -v
PHP 5.4.3 (cli) (built: May 10 2012 11:18:42) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

[root@caffeine nginx]# pecl list | grep memcached
memcached 2.0.1   stable

/etc/php.ini - relevant settings
session.save_handler = memcached
session.save_path = "127.0.0.1:11211"
session.serialize_handler=igbinary # disabling this still cause the segfault... 
so it's not igbinary related

Test script:
---------------
<?php

set_error_handler('errorHandler');

session_start();

function errorHandler($errno, $errstr, $errfile = '', $errline = 0, array $errcontext = array())
{
	print_r($errcontext, true);
	// return true; // this line on/off still get the segfault
}

echo 1;

Expected result:
----------------
1

Actual result:
--------------
[root@[REMOVED] nginx]# tail /var/log/messages
May 10 15:29:29 [REMOVED] kernel: php-fpm[11815]: segfault at 0 ip 
000000000077cd16 sp 00007fffe35c2b80 error 6 in php-fpm[400000+8a7000]

nginx says: 502 Bad Gateway
and logs: 

2012/05/10 15:49:43 [error] 8522#0: *364 recv() failed (104: Connection reset by 
peer) while reading response header from upstream, client: [SOME_IP], server: 
[DOMAIN_NAME].ro, request: "GET /sesstest.php HTTP/1.1", upstream: 
"fastcgi://127.0.0.1:9000", host: "[DOMAIN_NAME].ro"

-----------

From my tests I concluded that ALL the following conditions must be met for this 
to occur:
- memcached server stopped
- set_error_handler
- session_start
- print_r($errcontext, true) # even the second param is important leaving it as 
print_r($errcontext) will cause the script to run properly.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-10 14:48 UTC] radical@php.net

[root@caffeine nginx]# strace -p 12690 -p 13598
Process 12690 attached - interrupt to quit
Process 13598 attached - interrupt to quit
[pid 13598] accept(0,  <unfinished ...>
[pid 12690] accept(0,  <unfinished ...>
[pid 13598] <... accept resumed> {sa_family=AF_INET, sin_port=htons(43156), 
sin_addr=inet_addr("127.0.0.1")}, [16]) = 3
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 530796575}) = 0
[pid 13598] gettimeofday({1336661210, 593804}, NULL) = 0
[pid 13598] times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 
458343203
[pid 13598] poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, 
revents=POLLIN}])
[pid 13598] read(3, "\1\1\0\1\0\10\0\0", 8) = 8
[pid 13598] read(3, "\0\1\0\0\0\0\0\0", 8) = 8
[pid 13598] read(3, "\1\4\0\1\3\352\6\0", 8) = 8
[pid 13598] read(3, "\17&SCRIPT_FILENAME/www/[DOMAIN_NAME]."..., 1008) = 1008
[pid 13598] read(3, "\1\4\0\1\0\0\0\0", 8) = 8
[pid 13598] gettimeofday({1336661210, 594794}, NULL) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web/www/sesstest.php", 
{st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web/www", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro/Web", {st_mode=S_IFDIR|0755, 
st_size=4096, ...}) = 0
[pid 13598] lstat("/www/[DOMAIN_NAME].ro", {st_mode=S_IFDIR|0755, st_size=4096, 
...}) = 0
[pid 13598] lstat("/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 532597083}) = 0
[pid 13598] gettimeofday({1336661210, 595651}, NULL) = 0
[pid 13598] stat("/www/[DOMAIN_NAME].ro/Web/www/.user.ini", 0x7fffe35c3320) = -1 
ENOENT (No such file or directory)
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={240, 0}}, 
NULL) = 0
[pid 13598] rt_sigaction(SIGPROF, {0x770590, [PROF], SA_RESTORER|SA_RESTART, 
0x7f0335e2b900}, {SIG_DFL, [], 0}, 8) = 0
[pid 13598] rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
[pid 13598] gettimeofday({1336661210, 596734}, NULL) = 0
[pid 13598] gettimeofday({1336661210, 596789}, NULL) = 0
[pid 13598] open("/www/[DOMAIN_NAME].ro/Web/www/sesstest.php", O_RDONLY) = 5
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] fstat(5, {st_mode=S_IFREG|0644, st_size=262, ...}) = 0
[pid 13598] mmap(NULL, 262, PROT_READ, MAP_SHARED, 5, 0) = 0x7f032c463000
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 534541940}) = 0
[pid 13598] getcwd("/www/[DOMAIN_NAME].ro", 4095) = 18
[pid 13598] chdir("/www/[DOMAIN_NAME].ro/Web/www") = 0
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={120, 0}}, 
NULL) = 0
[pid 13598] munmap(0x7f032c463000, 262) = 0
[pid 13598] close(5)                    = 0
[pid 13598] gettimeofday({1336661210, 598866}, NULL) = 0
[pid 13598] socket(PF_NETLINK, SOCK_RAW, 0) = 5
[pid 13598] bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
[pid 13598] getsockname(5, {sa_family=AF_NETLINK, pid=13598, groups=00000000}, 
[12]) = 0
[pid 13598] gettimeofday({1336661210, 599356}, NULL) = 0
[pid 13598] sendto(5, "\24\0\0\0\26\0\1\3\332\324\253O\0\0\0\0\0\0\0\0", 20, 0, 
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"0\0\0\0\24\0\2\0\332\324\253O\0365\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\
1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"@\0\0\0\24\0\2\0\332\324\253O\0365\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0
"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
[pid 13598] recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, 
groups=00000000}, msg_iov(1)=
[{"\24\0\0\0\3\0\2\0\332\324\253O\0365\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 
4096}], msg_controllen=0, msg_flags=0}, 0) = 20
[pid 13598] close(5)                    = 0
[pid 13598] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 5
[pid 13598] fcntl(5, F_GETFL)           = 0x2 (flags O_RDWR)
[pid 13598] fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 13598] connect(5, {sa_family=AF_INET, sin_port=htons(11211), 
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in 
progress)
[pid 13598] poll([{fd=5, events=POLLOUT}], 1, 4000) = 1 ([{fd=5, 
revents=POLLERR|POLLHUP}])
[pid 13598] getsockopt(5, SOL_SOCKET, SO_ERROR, [17179869295], [4]) = 0
[pid 13598] open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 6
[pid 13598] fstat(6, {st_mode=S_IFREG|0644, st_size=26050, ...}) = 0
[pid 13598] mmap(NULL, 26050, PROT_READ, MAP_SHARED, 6, 0) = 0x7f032c45d000
[pid 13598] close(6)                    = 0
[pid 13598] futex(0x7f0336183f60, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 13598] close(5)                    = 0
[pid 13598] gettimeofday({1336661210, 601357}, NULL) = 0
[pid 13598] gettimeofday({1336661210, 601416}, NULL) = 0
[pid 13598] chdir("/www/[DOMAIN_NAME].ro")  = 0
[pid 13598] clock_gettime(CLOCK_MONOTONIC, {289461, 538570180}) = 0
[pid 13598] times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 
458343204
[pid 13598] gettimeofday({1336661210, 601609}, NULL) = 0
[pid 13598] stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2309, ...}) = 
0
[pid 13598] write(4, "127.0.0.1 -  10/May/2012:16:46:5"..., 64) = 64
[pid 13598] setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) 
= 0
[pid 13598] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Process 13598 detached
Process 12690 detached

[2012-05-10 19:24 UTC] radical@php.net

-Package: memcache +Package: memcached

[2012-05-10 19:24 UTC] radical@php.net

It's memcached (not memcache).

[2012-05-10 19:25 UTC] radical@php.net

-Summary: Segfault in php-fpm, no memcache running, sessions in memcahe +Summary: Segfault in php-fpm, no memcached running, sessions in memcahed

[2012-05-10 19:25 UTC] radical@php.net

Updating summary:
- memcache
+ memcached

[2012-05-11 07:55 UTC] tony2001@php.net

-Status: Open +Status: Feedback

[2012-05-11 07:55 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

[2012-05-11 11:13 UTC] radical@php.net

-Summary: Segfault in php-fpm, no memcached running, sessions in memcahed +Summary: Segfault in php-fpm, no memcached running, sessions in memcached

[2012-05-11 11:13 UTC] radical@php.net

[root@[SERVERNAME] [DOMAINNAME]]# gdb /usr/local/sbin/php-fpm core
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
This GDB was configured as "x86_64-redhat-linux-gnu".
Reading symbols from /usr/local/sbin/php-fpm...done.
[New Thread 354]

Core was generated by `php-fpm: pool [DOMAINNAME]'.
Program terminated with signal 11, Segmentation fault.
#0  zend_stack_push (stack=0xf961a8, element=0x7fff9a080d18, size=8) at /root/installed/PHP/php-5.4.3/Zend/zend_stack.c:42
42		stack->elements[stack->top] = (void *) emalloc(size);
(gdb) bt
#0  zend_stack_push (stack=0xf961a8, element=0x7fff9a080d18, size=8) at /root/installed/PHP/php-5.4.3/Zend/zend_stack.c:42
#1  0x00000000007356f3 in php_output_handler_start (handler=0x7f5427021068) at /root/installed/PHP/php-5.4.3/main/output.c:563
#2  0x0000000000735bf1 in php_output_start_default () at /root/installed/PHP/php-5.4.3/main/output.c:412
#3  0x0000000000676bfd in zif_print_r (ht=<value optimized out>, return_value=0x7f5427023ea8, return_value_ptr=<value optimized out>, 
    this_ptr=<value optimized out>, return_value_used=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/standard/basic_functions.c:5496
#4  0x00000000007f9a9f in zend_do_fcall_common_helper_SPEC (execute_data=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/Zend/zend_vm_execute.h:642
#5  0x00000000007e6d60 in execute (op_array=0x2d60a00) at /root/installed/PHP/php-5.4.3/Zend/zend_vm_execute.h:410
#6  0x0000000000772089 in zend_call_function (fci=0x7fff9a081010, fci_cache=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/Zend/zend_execute_API.c:958
#7  0x0000000000772e20 in call_user_function_ex (function_table=<value optimized out>, object_pp=<value optimized out>, 
    function_name=<value optimized out>, retval_ptr_ptr=<value optimized out>, param_count=<value optimized out>, 
    params=<value optimized out>, no_separation=1, symbol_table=0x0) at /root/installed/PHP/php-5.4.3/Zend/zend_execute_API.c:750
#8  0x000000000077e5bd in zend_error (type=2, format=0xc0a002 "%s") at /root/installed/PHP/php-5.4.3/Zend/zend.c:1171
#9  0x0000000000723ef6 in php_verror (docref=<value optimized out>, params=<value optimized out>, type=2, format=<value optimized out>, 
    args=<value optimized out>) at /root/installed/PHP/php-5.4.3/main/main.c:853
#10 0x000000000072450f in php_error_docref0 (docref=<value optimized out>, type=<value optimized out>, format=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/main/main.c:865
#11 0x00000000005ee00f in php_session_save_current_state () at /root/installed/PHP/php-5.4.3/ext/session/session.c:497
#12 0x00000000005ef17c in php_session_flush (type=<value optimized out>, module_number=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/session/session.c:1453
#13 zm_deactivate_session (type=<value optimized out>, module_number=<value optimized out>)
    at /root/installed/PHP/php-5.4.3/ext/session/session.c:2144
#14 0x00000000007846d4 in zend_deactivate_modules () at /root/installed/PHP/php-5.4.3/Zend/zend_API.c:2333
#15 0x00000000007224d5 in php_request_shutdown (dummy=<value optimized out>) at /root/installed/PHP/php-5.4.3/main/main.c:1755
#16 0x0000000000830560 in main (argc=654247680, argv=0x7f5426ff0480) at /root/installed/PHP/php-5.4.3/sapi/fpm/fpm/fpm_main.c:1884
(gdb) quit

[2012-05-11 11:14 UTC] radical@php.net

-Status: Feedback +Status: Open

[2012-05-11 11:14 UTC] radical@php.net

Added backtrace

[2012-05-12 15:30 UTC] laruence@php.net

seems like #61728 , could you please test with the trunk? 

thanks

[2012-05-12 15:31 UTC] laruence@php.net

-Status: Open +Status: Feedback

[2012-05-14 07:27 UTC] radical@php.net

-Status: Feedback +Status: Closed -Assigned To: +Assigned To: radical

[2012-05-14 07:27 UTC] radical@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

I used the latest version from git.php.net and you were right.
No segfault.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC